Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
7ab28f9678 | ||
|
|
6bd8db31fe | ||
|
|
b449e6efd0 | ||
|
|
764b218deb |
@@ -34,7 +34,7 @@ import {MEDIATYPE_PAYLOAD as INTOTO_MEDIATYPE_PAYLOAD, Subject} from '../types/i
|
||||
import {FULCIO_URL, REKOR_URL, SEARCH_URL, TSASERVER_URL} from '../types/sigstore/sigstore';
|
||||
|
||||
export interface SignAttestationManifestsOpts {
|
||||
imageName: string;
|
||||
imageNames: Array<string>;
|
||||
imageDigest: string;
|
||||
noTransparencyLog?: boolean;
|
||||
}
|
||||
@@ -101,12 +101,13 @@ export class Sigstore {
|
||||
core.info(`Using Sigstore signing endpoint: ${endpoints.fulcioURL}`);
|
||||
const noTransparencyLog = Sigstore.noTransparencyLog(opts.noTransparencyLog);
|
||||
|
||||
const attestationDigests = await this.imageTools.attestationDigests(`${opts.imageName}@${opts.imageDigest}`);
|
||||
for (const attestationDigest of attestationDigests) {
|
||||
const attestationRef = `${opts.imageName}@${attestationDigest}`;
|
||||
await core.group(`Signing attestation manifest ${attestationRef}`, async () => {
|
||||
// prettier-ignore
|
||||
const cosignArgs = [
|
||||
for (const imageName of opts.imageNames) {
|
||||
const attestationDigests = await this.imageTools.attestationDigests(`${imageName}@${opts.imageDigest}`);
|
||||
for (const attestationDigest of attestationDigests) {
|
||||
const attestationRef = `${imageName}@${attestationDigest}`;
|
||||
await core.group(`Signing attestation manifest ${attestationRef}`, async () => {
|
||||
// prettier-ignore
|
||||
const cosignArgs = [
|
||||
'--verbose',
|
||||
'sign',
|
||||
'--yes',
|
||||
@@ -115,38 +116,39 @@ export class Sigstore {
|
||||
'--new-bundle-format',
|
||||
'--use-signing-config'
|
||||
];
|
||||
if (noTransparencyLog) {
|
||||
cosignArgs.push('--tlog-upload=false');
|
||||
}
|
||||
core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
|
||||
const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, attestationRef], {
|
||||
ignoreReturnCode: true,
|
||||
silent: true,
|
||||
env: Object.assign({}, process.env, {
|
||||
COSIGN_EXPERIMENTAL: '1'
|
||||
}) as {
|
||||
[key: string]: string;
|
||||
if (noTransparencyLog) {
|
||||
cosignArgs.push('--tlog-upload=false');
|
||||
}
|
||||
core.info(`[command]cosign ${[...cosignArgs, attestationRef].join(' ')}`);
|
||||
const execRes = await Exec.getExecOutput('cosign', [...cosignArgs, attestationRef], {
|
||||
ignoreReturnCode: true,
|
||||
silent: true,
|
||||
env: Object.assign({}, process.env, {
|
||||
COSIGN_EXPERIMENTAL: '1'
|
||||
}) as {
|
||||
[key: string]: string;
|
||||
}
|
||||
});
|
||||
const signResult = Cosign.parseCommandOutput(execRes.stderr.trim());
|
||||
if (execRes.exitCode != 0) {
|
||||
if (signResult.errors && signResult.errors.length > 0) {
|
||||
const errorMessages = signResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
|
||||
throw new Error(`Cosign sign command failed with errors:\n${errorMessages}`);
|
||||
} else {
|
||||
throw new Error(`Cosign sign command failed with exit code ${execRes.exitCode}`);
|
||||
}
|
||||
}
|
||||
const attest = Sigstore.toAttestation(bundleFromJSON(signResult.bundle));
|
||||
if (attest.tlogID) {
|
||||
core.info(`Uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
|
||||
}
|
||||
core.info(`Signature manifest pushed: https://oci.dag.dev/?referrers=${attestationRef}`);
|
||||
result[attestationRef] = {
|
||||
...attest,
|
||||
imageName: imageName
|
||||
};
|
||||
});
|
||||
const signResult = Cosign.parseCommandOutput(execRes.stderr.trim());
|
||||
if (execRes.exitCode != 0) {
|
||||
if (signResult.errors && signResult.errors.length > 0) {
|
||||
const errorMessages = signResult.errors.map(e => `- [${e.code}] ${e.message} : ${e.detail}`).join('\n');
|
||||
throw new Error(`Cosign sign command failed with errors:\n${errorMessages}`);
|
||||
} else {
|
||||
throw new Error(`Cosign sign command failed with exit code ${execRes.exitCode}`);
|
||||
}
|
||||
}
|
||||
const attest = Sigstore.toAttestation(bundleFromJSON(signResult.bundle));
|
||||
if (attest.tlogID) {
|
||||
core.info(`Uploaded to Rekor transparency log: ${SEARCH_URL}?logIndex=${attest.tlogID}`);
|
||||
}
|
||||
core.info(`Signature manifest pushed: https://oci.dag.dev/?referrers=${attestationRef}`);
|
||||
result[attestationRef] = {
|
||||
...attest,
|
||||
imageName: opts.imageName
|
||||
};
|
||||
});
|
||||
}
|
||||
}
|
||||
} catch (err) {
|
||||
throw new Error(`Signing BuildKit attestation manifests failed: ${(err as Error).message}`);
|
||||
|
||||
48
yarn.lock
48
yarn.lock
@@ -1797,17 +1797,6 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/endpoint@npm:^9.0.0":
|
||||
version: 9.0.0
|
||||
resolution: "@octokit/endpoint@npm:9.0.0"
|
||||
dependencies:
|
||||
"@octokit/types": "npm:^11.0.0"
|
||||
is-plain-object: "npm:^5.0.0"
|
||||
universal-user-agent: "npm:^6.0.0"
|
||||
checksum: 10/ec160fe1a0d5244ef380b1f4fce9586bcf82ee5f24f92f128aec898255eb148620f5622fcd0dc876678b0f84dc8e7210469108afc150c0080916b7c16fbfe49e
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/endpoint@npm:^9.0.6":
|
||||
version: 9.0.6
|
||||
resolution: "@octokit/endpoint@npm:9.0.6"
|
||||
@@ -1940,18 +1929,7 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/request-error@npm:^5.0.0":
|
||||
version: 5.0.0
|
||||
resolution: "@octokit/request-error@npm:5.0.0"
|
||||
dependencies:
|
||||
"@octokit/types": "npm:^11.0.0"
|
||||
deprecation: "npm:^2.0.0"
|
||||
once: "npm:^1.4.0"
|
||||
checksum: 10/de7ed2934035650c67b619130c407c6eec7fc80c9c47c27131feaace76fa01c64e35338cb19d4b3838f5f53f3d174a5f0933e1dc7921b952411b0457b599dc71
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/request-error@npm:^5.1.1":
|
||||
"@octokit/request-error@npm:^5.0.0, @octokit/request-error@npm:^5.1.1":
|
||||
version: 5.1.1
|
||||
resolution: "@octokit/request-error@npm:5.1.1"
|
||||
dependencies:
|
||||
@@ -1962,20 +1940,7 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/request@npm:^8.0.1, @octokit/request@npm:^8.0.2":
|
||||
version: 8.1.1
|
||||
resolution: "@octokit/request@npm:8.1.1"
|
||||
dependencies:
|
||||
"@octokit/endpoint": "npm:^9.0.0"
|
||||
"@octokit/request-error": "npm:^5.0.0"
|
||||
"@octokit/types": "npm:^11.1.0"
|
||||
is-plain-object: "npm:^5.0.0"
|
||||
universal-user-agent: "npm:^6.0.0"
|
||||
checksum: 10/62fd236ef88de3bc7ecb652414751eb3934f589727e938736cb1b76545384d6db225abeae12371a1d6017bff2ae82948bf529af6b746131bdb3a270bfb177ac1
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/request@npm:^8.4.1":
|
||||
"@octokit/request@npm:^8.0.1, @octokit/request@npm:^8.0.2, @octokit/request@npm:^8.4.1":
|
||||
version: 8.4.1
|
||||
resolution: "@octokit/request@npm:8.4.1"
|
||||
dependencies:
|
||||
@@ -1987,7 +1952,7 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"@octokit/types@npm:^11.0.0, @octokit/types@npm:^11.1.0":
|
||||
"@octokit/types@npm:^11.0.0":
|
||||
version: 11.1.0
|
||||
resolution: "@octokit/types@npm:11.1.0"
|
||||
dependencies:
|
||||
@@ -6231,13 +6196,6 @@ __metadata:
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"is-plain-object@npm:^5.0.0":
|
||||
version: 5.0.0
|
||||
resolution: "is-plain-object@npm:5.0.0"
|
||||
checksum: 10/e32d27061eef62c0847d303125440a38660517e586f2f3db7c9d179ae5b6674ab0f469d519b2e25c147a1a3bc87156d0d5f4d8821e0ce4a9ee7fe1fcf11ce45c
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
"is-regex@npm:^1.1.4":
|
||||
version: 1.1.4
|
||||
resolution: "is-regex@npm:1.1.4"
|
||||
|
||||
Reference in New Issue
Block a user